Tougher sanctions for DPA breaches – from April 2010?

Various measures to toughen UK data protection enforcement have been in the pipeline for some time. Recent statements by the the Ministry of Justice indicate that certain of these could be brought into force as soon as next “red tape day”, i.e. 6 April 2010. Part of the problem with tracking the myriad proposed changes to UK data protection legislation is that they are currently dotted about in various Bills, Acts and SIs, all at different stages of the legislative obstacle race. This Datonomist does not mind admitting she finds it hard to keep up!

The first of the changes on the near hoizon is the proposal to introduce custodial sentences of up to two years for the offence under section 55 of the DPA of knowing or reckless misuse of personal data. This is contained in an MOJ consultation paper published on 15 October. As Datonomy readers may be aware, such proposals have been on the table since the Commissioner’s 2006 report “What price privacy” . The plans have been given impetus by the new Commissioner’s evidence last month to a Parliamentary Select Committee. The new sentence is intended to provide a more effective deterrent (the current penalty being a £5000 fine) to the likes of private investigators and “blaggers” from plying their lucrative trade in personal data. The proposals have prompted concerns from some quarters of the media over the potentially chilling effect they could have over press freedom (the freedom to rifle through people’s bins?? hello??)

As a concession to media concerns, the consultation proposes a new public interest-based defence, to protect legitimate journalistic activities – see page 11 of the consultation and this measured comment by Alan Travis in the Guardian . Interested parties have until 7 January to submit views on whether the new sanction should come into force in April (or indeed ever).

The second change on the near horizon is of wider interest since it affects all data controllers – or at any rate, those who deliberately or recklessly breach the Data Protection Principles. This is to be found in the recently added section 55A (introduced by section 144 of the CJIA 2008) which will enable the ICO to impose fixed monetary penalties. The new powers will apply to serious serious breaches of the Act which are likely to cause substantial damage or distress, and which are committed deliberately or recklessly.

When I say “recently added”, I mean May 2008 which is when it reached the statute book. However, the sanction is still not “live”, as the amount of the penalties (which will need to be set by SI) is still to be determined. We understand that a capped percentage of turnover model, similar to that used by the FSA, may be adopted. If the new DPA fines are on a similar scale to the fines recently doled out by the FSA for privacy related breaches, the new powers should indeed help to focus the minds of data controllers on compliance issues. However, an official indication on the level of the fines is still awaited.

Hopefully, all will be revealed in the not too distant future, as both the MOJ consultation document and the Commissioner’s recent conference presentation allude to these penalties coming into force “in April 2010”. Watch this space.